EU launches legal action against Spain over ‘excessive’ traveller data collection
The European Union announced that it has launched infringement proceedings against Spain for failing to comply with its regulations on passenger data protection. The proceedings claim that the categories of data about passengers, as well as the time for which the authorities keep them, are excessive. Spain’s data privacy issue: Too much data, held for too much time To be specific, Spain requires travel accommodation providers, online booking platforms, and car rental companies to collect and store travellers’ personal data in a government database. However,
the amount of data collected, as well as the categories, including payment information and GPS data, is the main point of contention. Additionally, Brussels alleges that law enforcement authorities have too broad access to this data without limitations. Spanish authorities also retain the information for a period of three years, which Brussels states is “disproportionate.” Brussels launches formal proceedings: What will happen if Spain does not correct the problem within 2 months Brussels announced the proceedings on Thursday, June 4, having sent a formal notice
letter to Spanish representatives. Spain now has two months to correct the system for collecting traveller data. If the issue is not resolved, Brussels can negotiate more time with Spanish authorities, but if an agreement is not reached, Spain could be denounced before the Court of Justice of the European Union (CJEU). If this occurs, and the CJEU rules that Spain has not complied with EU regulations, they could legally obligate the member state to comply, and in more extreme cases, impose strict fines on
the country. Travel organisations: Vindicated, but urging for immediate change Following the announcement of the proceedings, FETAVE (the Spanish Federation of Territorial Associations of Travel Agencies), and UNAV (the Union of Travel Agencies), have put in a request for the Ministry of the Interior to suspend the application of the Royal Decree 933/2021, which obligates these agencies to collect, store, and send the data. FETAVE, which is currently in the process of merging with UNAV, highlighted that it was the only Spanish tourism sector organisation
that challenged the Royal Decree 933/2021 with European Union law, in January 2023. Since then, the organisation has consistently opposed the regulation. Now, the two organisations state that the European Commission’s decision to impose sanctions on Spain confirms their suspicions about the “disproportionate” nature, “legal uncertainty” and “practical unfeasibility” of the obligations of the decree. Carlos Garrido, President of the Spanish Confederation of Travel Agencies, stated, “the obligation to collect and communicate tens of thousands of personal data points from millions of travellers has placed
a disproportionate administrative burden on travel agencies and other tour operators, without a convincing explanation for the necessity of much of this data.” But what will change for travellers if Spain is forced to comply? The review and change of this royal decree will not have a broad, obvious impact for travellers checking in to hotels or renting cars, but the new compliance may see holidaymakers with slightly less paperwork to do upon arrival (or less fields to fill on an online form), and more
transparency from travel agencies and booking companies in Spain. Could the Entry/Exit System be impacted by the decision? The EES can be reviewed, examined by the CJEU, and changed, but only through an EU legislative process. As it stands, the data collected from the EES across the whole of Europe and the data collected specifically in Spain function as two separate systems, and changing the EES would be a Europe-wide review of the framework, not on a national level.
European Union, Spain, infringement proceedings, passenger data protection, traveller data, Royal Decree 933/2021, data retention, GDPR, Court of Justice of the European Union, EES, FETAVE, UNAV, Carlos Garrido